On Mon, 18 Oct 2021, Dave Houser wrote:
X-Spam-Flag: NO
> With IKEv2, pluto treats the liveness exchange (nee dpd probe) the
> same as any other. It uses:
> retransmit-timeout=...
I tried setting the "retransmit-timeout" setting to something lower like "5s",
then readded my config
and turned up the tunnel. I then cleared the SA on the Juniper, and then waited
5 seconds, nothing
happened in the logs. HOwever after ~300s I see this in the logs.
Oct 18 17:17:34.768743: "to-vsrx-01" #62: deleting state
(STATE_V2_ESTABLISHED_IKE_SA) aged 300.047581s
and NOT sending notification
The lines above that one matter. One did it delete the state? Did it
receive a Delete request? Did it timeout ? What triggered the
deletation?
The rest is just a restart mechanism.
Oct 18 17:17:34.953122: netlink_acquire got message with length 116 < 232
bytes; ignore message
Oct 18 17:17:34.953132: netlink_acquire got message with length 116 < 232
bytes; ignore message
Oct 18 17:17:34.953150: netlink_acquire got message with length 116 < 232
bytes; ignore message
Oct 18 17:17:34.953160: netlink_acquire got message with length 60 < 232 bytes;
ignore message
Oct 18 17:17:34.953166: netlink_acquire got message with length 52 < 232 bytes;
ignore message
Oct 18 17:17:34.953195: netlink_acquire got message with length 52 < 232 bytes;
ignore message
These can probably be ignored, but it is still odd to get very small
kernel to userland messages. You can try and see what these are using
"ip xfrm monitor" (at the time they are happening)
This led me to believe there is another setting that I could adjust in
libreswan that is waiting ~300s
before trying to retransmit.
Is there a setting that controls " aged 300.047581s and NOT sending
notifications"?
Maybe on the remote end?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
